CVE-2023-39310

Vulnerability

Description CVE-2023-39310 is a missing authorization vulnerability in the ThemeFusion Fusion Builder plugin for WordPress, affecting versions from n/a through 3.11.1 [1]. The plugin fails to properly verify user capabilities before granting access to certain functions, leading to a broken access control issue [1].

Exploitation

An authenticated attacker with low privileges can exploit this flaw by sending crafted requests to the affected endpoint, bypassing authorization checks [1]. No special network position or additional authentication is required beyond a valid WordPress user account [1]. The vulnerability is being used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an attacker to perform actions normally reserved for higher-privileged users, such as modifying site content or settings, depending on the misconfigured function [1]. The CVSS v3 base score is 5.4 (Medium), with a vector indicating low attack complexity and low privileges required [1].

Mitigation

The vulnerability has been patched in version 3.11.2 of Fusion Builder [1]. Users are strongly advised to update immediately. For those unable to update, applying a web application firewall rule or seeking hosting provider assistance can provide temporary protection [1].